Re: [PATCH nf-next 4/4] netfilter: rt: add support to fetch path mss

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2017-08-08 at 15:15 +0200, Florian Westphal wrote:
> to be used in combination with tcp option set support to mimic
> iptables TCPMSS --clamp-mss-to-pmtu.
> 
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
> ---
>  include/uapi/linux/netfilter/nf_tables.h |  2 +
>  net/netfilter/nft_rt.c                   | 65 ++++++++++++++++++++++++++++++++
>  2 files changed, 67 insertions(+)
> 
> diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
> index 40fd199f7531..b49da72efa68 100644
> --- a/include/uapi/linux/netfilter/nf_tables.h
> +++ b/include/uapi/linux/netfilter/nf_tables.h
> @@ -811,11 +811,13 @@ enum nft_meta_keys {
>   * @NFT_RT_CLASSID: realm value of packet's route (skb->dst->tclassid)
>   * @NFT_RT_NEXTHOP4: routing nexthop for IPv4
>   * @NFT_RT_NEXTHOP6: routing nexthop for IPv6
> + * @NFT_RT_TCPMSS: fetch current path tcp mss
>   */
>  enum nft_rt_keys {
>  	NFT_RT_CLASSID,
>  	NFT_RT_NEXTHOP4,
>  	NFT_RT_NEXTHOP6,
> +	NFT_RT_TCPMSS,
>  };
>  
>  /**
> diff --git a/net/netfilter/nft_rt.c b/net/netfilter/nft_rt.c
> index c7383d8f88d0..69ed601d6fc6 100644
> --- a/net/netfilter/nft_rt.c
> +++ b/net/netfilter/nft_rt.c
> @@ -23,6 +23,41 @@ struct nft_rt {
>  	enum nft_registers	dreg:8;
>  };
>  
> +static u16 get_tcpmss(const struct nft_pktinfo *pkt, const struct dst_entry *skbdst)
> +{
> +	u32 minlen = sizeof(struct ipv6hdr), mtu = dst_mtu(skbdst);
> +	const struct sk_buff *skb = pkt->skb;
> +	const struct nf_afinfo *ai;
> +	struct dst_entry *dst;
> +	struct flowi fl;
> +
> +	memset(&fl, 0, sizeof(fl));
> +
> +	switch (nft_pf(pkt)) {
> +	case NFPROTO_IPV4:
> +		fl.u.ip4.daddr = ip_hdr(skb)->saddr;
> +		minlen = sizeof(struct iphdr);
> +		break;
> +	case NFPROTO_IPV6:
> +		fl.u.ip6.daddr = ipv6_hdr(skb)->saddr;
> +		break;
> +	}
> +
> +	ai = nf_get_afinfo(nft_pf(pkt));
> +	if (ai)
> +		ai->route(nft_net(pkt), &dst, &fl, false);
> +

if ai is NULL,

dst is not initialized and might contain garbage.

> +	if (dst) {
> +		mtu = min(mtu, dst_mtu(dst));
> +		dst_release(dst);
> +	}
> +
> +	if (mtu <= minlen || mtu > 0xffff)
> +		return TCP_MSS_DEFAULT;
> +
> +	return mtu - minlen;




--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux